The company IP-LABEL (the “Company”), a simplified joint-stock company with share capital of EUR 549,728, whose registered office is located at 90 Boulevard National – 92250 La Garenne-Colombes, France, registered with the Nanterre Trade and Companies Register under number B 327 139 309, mainly provides services enabling its clients to manage and optimize their “digital experience” (the “IP-LABEL Services”).
The IP-LABEL Services measure the quality of user experience (hereinafter the “Users”) of all digital services such as web, business and mobile applications, as well as telephony, video, voice, etc. Some IP-LABEL Services (focused on user experience) therefore make it possible to improve availability, response times and performance of the Client’s critical applications. The Client has entered into a contract with the Company (the “Contract”) in order to benefit from one or more IP-LABEL Services.
It follows from the above that the Company is required both (i) to collect personal data and process it on its own behalf and (ii) to collect personal data on behalf of and for the account of the Client, IP-LABEL then acting as a processor, meaning a third party processing personal data according to the instructions and under the authority of the data controller, namely the Client. “Personal Data” means any information relating to an identified or identifiable natural person, any data enabling a natural person to be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific elements relating to their physical, physiological, genetic, mental, economic, cultural or social identity.
The Personal Data collected remains the exclusive property of the Users from whom it is collected. Such Personal Data is entrusted by mandate to the Company and the Client solely within the scope of the purpose of the Services subscribed to by the Client, with the express consent of the Users and on the basis of detailed information regarding the purpose of the relevant Services, in full transparency.
The Company files declarations relating to the processing of Personal Data carried out on its own behalf with an independent European supervisory authority (hereinafter the “Supervisory Authority”) (in France, the National Commission on Informatics and Liberties – CNIL). No specific declaration is made by the Company regarding its data collection and processing activities carried out on behalf of the Client, since only the Client is legally responsible for the processing of Personal Data collected on its behalf, over which the Company does not have effective control.
However, in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (the “European Regulation”), the Company and the Client undertake, throughout the duration of the Contract, to comply with the provisions of this Charter in connection with the collection, management and use of Users’ Personal Data.
The protection of collected Personal Data and respect for Users’ privacy are central concerns of the Company. The Company therefore undertakes to deploy, throughout the entire chain of collection, hosting, processing and circulation, the necessary technical and organizational measures to ensure such protection and respect, and to work only with partners who deploy equivalent measures and adhere to this Charter, in accordance with the commitments set out below.
Process Users’ Personal Data solely for the purpose(s) covered by the Contract;
Process Users’ Personal Data in accordance with the documented instructions of the data controller designated by the Client in the appendix to the Contract. If the Company considers that an instruction constitutes a violation of the European Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the Client’s data controller. Furthermore, if the Company is required to transfer data to a third country or an international organization pursuant to Union or Member State law, it shall inform the Client’s data controller of this legal obligation prior to processing, unless such law prohibits such information;
Ensure the confidentiality of Users’ Personal Data processed under the Contract and the Services;
Ensure that Company personnel authorized to process Users’ Personal Data under the Contract (a) commit themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality, and (b) receive appropriate training in Personal Data protection;
Take into account, with regard to its software and/or Services, the principles of Personal Data protection by design;
Inform the Client’s data controller in advance and in writing of any intended change concerning the addition or replacement of subprocessors. This information must clearly indicate the outsourced processing activities, the identity and contact details of the subprocessor, and the dates of the subcontracting agreement. The Client shall have a minimum period of thirty (30) days from receipt of such information to raise objections. In the event of objection, the Client must send the Company, before the expiration of the thirty (30)-day period and before the addition or replacement takes effect, a registered letter with acknowledgment of receipt terminating the affected Service(s). Such termination shall take effect upon expiry of the aforementioned thirty (30)-day period. The Client shall bear any consequences of such early termination provided for in the Contract. Failing termination notification within this period, the Client shall be deemed to have irrevocably accepted the addition or replacement of subprocessors. Any subprocessor must comply with the obligations of this Charter. The Company shall ensure that the subprocessor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure compliance with the European Regulation. The Company remains fully liable to the Client for the performance of the subprocessor’s obligations;
Implement security measures to ensure the confidentiality and integrity of Personal Data so that unauthorized third parties cannot modify, damage or access it, using means proportionate to the value or criticality of the data, including, where necessary:
(i) pseudonymization and encryption;
(ii) measures ensuring continuous confidentiality, integrity, availability and resilience of processing systems and services;
(iii) measures enabling the restoration of availability and access in a timely manner in the event of a physical or technical incident;
(iv) procedures to regularly test, analyze and evaluate the effectiveness of technical and organizational measures;
Notify the Client’s data controller of any Personal Data breach after becoming aware of it, by email confirmed by registered letter with acknowledgment of receipt, together with all relevant documentation enabling the Client to notify the competent Supervisory Authority if required;
Assist the Client, where possible and at the rates provided for in the Contract, in responding to requests for exercising Users’ rights: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, and right not to be subject to automated individual decision-making (including profiling). When a User submits such requests directly to the Company, the Company shall forward them promptly by email to the Client’s designated data controller;
Destroy all Users’ Personal Data at the end of the Services related to such processing;
Assist the Client, within the scope of the subscribed Services and at the rates provided for in the Contract, with any service relating to the protection of Users’ Personal Data, including assistance with any prior consultation of the Supervisory Authority;
Make available to the Client the documentation necessary to demonstrate compliance with its obligations and to enable audits, including inspections, by an auditor appointed by the Client (a “Third-Party Auditor”), and contribute to such audits. The Client may, at its own expense, appoint a Third-Party Auditor provided that such auditor holds certification granted by the Supervisory Authority, is not directly or indirectly engaged in a competing activity, is not linked to a company engaged in such activity, and has agreed in writing to confidentiality obligations and submitted a declaration of absence of conflict of interest. The Company may object to a designated Third-Party Auditor for justified reasons. The Client is limited to one audit per contractual year, subject to fifteen (15) days’ prior notice. The audit must comply with the methodology defined by CNIL deliberation No. 2011-316 of 6 October 2011;
Maintain a written record of all categories of processing activities carried out on behalf of the Client, including:
(a) the name and contact details of the data controller, subprocessors and, where applicable, the data protection officer;
(b) the categories of processing activities;
(c) any transfers to third countries or international organizations and relevant safeguards;
(d) a general description of security measures.
No collection or processing of Personal Data will be entrusted to the Company without the Client’s declaration or authorization from a Supervisory Authority;
The purpose of processing is determined, explicit and legitimate. The User’s “opt-in” consent collected by the Client is informed and based on a clearly defined service purpose.
Not resell or exploit Personal Data outside the scope accepted by Users, who retain the right to modify their consent at any time;
Ensure that Users have rights of access, rectification and deletion of their Personal Data;
Designate a data controller under the Contract and notify the Company of their details by registered letter with acknowledgment of receipt.
This Charter shall enter into force on the date of signature of the Contract and remain in effect for its duration. It is governed by French law. Any dispute shall fall under the exclusive jurisdiction of the Paris Commercial Court.
Failure by either party to invoke a breach shall not constitute a waiver.
If any provision is declared invalid, the parties shall agree on replacement provisions achieving the original intent. All other provisions shall remain in full force and effect.
